For Sale: The Phone Numbers of Millions of Israeli Facebook Users

A Telegram bot claims to have the numbers of 533 million users from around the world as a result of a Facebook security vulnerability that was fixed in 2019. For $20 you can buy one

Send in e-mailSend in e-mail
The Telegram app. The phone numbers of millions of Facebook users are on sale online through a bot running on the app
The Telegram app. The phone numbers of millions of Facebook users are on sale online through a bot running on the appCredit: Wally Santana/AP

When WhatsApp updated its terms of use and privacy policy in January requiring users to accept the sharing of some of their data with Facebook in order to keep using the app, it set off a public outcry among internet privacy advocates – despite the fact that WhatsApp has been sharing user data with its parent company since August 2016.

In the wake of the media firestorm and threats to abandon the platform, WhatsApp announced that it was postponing the change until May. However, it now turns out that for the past two years more than 3.9 million private phone numbers of Israeli Facebook users have fallen into the hands of hackers and are up for sale, through a Telegram bot. Israel isn't alone in the security breach: At least 533 million phone numbers and other personal details of Facebook users around the world are for sale on the internet.

The Facebook database whose contents are up for sale contains the phone numbers of at least 11 million British users and 32 million Americans. When the Telegram bot is launched it says, "The bot helps to find out the mobile phone numbers of Facebook users" and offers data from 107 countries. Facebook said it patched the vulnerability that allowed access to the database in 2019, but as noted the information is still very much alive on the internet.

Access to the enormous database was made possible by a vulnerability that was found – and patched – in 2019. That means the data in it is more than a year old, but various hackers trying to maximize their profits continue to market it. For $20, you can buy a Facebook user ID or a user's phone number (with discounts for buying in bulk). The illegal activity was discovered by Alon Gal, the co-founder and chief technology officer of the cybersecurity firm Hudson Rock.

Since many people keep the same phone number for years, the fact that the data is from 2019 doesn't make it less valuable, or dangerous, today. Using a so-called bot eliminates the need for the hacker to communicate with the customer, streamlining the potential sale of personal details. The Telegram bot has been running since at least January 12, and Gal says it may have started earlier.

"At first there was an offer to sell a database that associates cellphone numbers to the Facebook accounts of more than 500 million users," Gal explains. "As part of the natural process that happens in the world of data sales, another person with access to the database decided [not just to sell it but] make it much more widely accessible by using a Telegram bot that allows data to be retrieved automatically." 

Gal said his company received a sample of the bot's data: "Hudson Rock is in contact with hackers from around the world, which enables us to obtain information and exclusive understandings that we share with customers and the relevant legal authorities," he said.

While it's not clear whether the authorities are taking action against the Telegram bot, this is obviously very embarrassing for Facebook, since many of the numbers were submitted to the company as part of a two-step identification process that is supposed to guarantee the privacy of users. It is currently believed that the database first surfaced with a hacker named Greenhat, but it later turned out that he stole it from another hacker who calls himself Yusuf. "It's very unlikely that he was the first hacker to get this data," Galon said on Twitter.

Comments